← Back to Explore
sigmamediumHunting
Hidden Flag Set On File/Directory Via Chflags - MacOS
Detects the execution of the "chflags" utility with the "hidden" flag, in order to hide files on MacOS. When a file or directory has this hidden flag set, it becomes invisible to the default file listing commands and in graphical file browsers.
Detection Query
selection:
Image|endswith: /chflags
CommandLine|contains: "hidden "
condition: selection
Author
Omar Khaled (@beacon_exe)
Created
2024-08-21
Data Sources
macosProcess Creation Events
Platforms
macos
References
- https://www.sentinelone.com/labs/apt32-multi-stage-macos-trojan-innovates-on-crimeware-scripting-technique/
- https://www.welivesecurity.com/2019/04/09/oceanlotus-macos-malware-update/
- https://www.paloaltonetworks.com/content/dam/pan/en_US/assets/pdf/reports/Unit_42/unit42-wirelurker.pdf
- https://ss64.com/mac/chflags.html
Tags
attack.defense-evasionattack.credential-accessattack.command-and-controlattack.t1218attack.t1564.004attack.t1552.001attack.t1105
Raw Content
title: Hidden Flag Set On File/Directory Via Chflags - MacOS
id: 3b2c1059-ae5f-40b6-b5d4-6106d3ac20fe
status: test
description: |
Detects the execution of the "chflags" utility with the "hidden" flag, in order to hide files on MacOS.
When a file or directory has this hidden flag set, it becomes invisible to the default file listing commands and in graphical file browsers.
references:
- https://www.sentinelone.com/labs/apt32-multi-stage-macos-trojan-innovates-on-crimeware-scripting-technique/
- https://www.welivesecurity.com/2019/04/09/oceanlotus-macos-malware-update/
- https://www.paloaltonetworks.com/content/dam/pan/en_US/assets/pdf/reports/Unit_42/unit42-wirelurker.pdf
- https://ss64.com/mac/chflags.html
author: Omar Khaled (@beacon_exe)
date: 2024-08-21
tags:
- attack.defense-evasion
- attack.credential-access
- attack.command-and-control
- attack.t1218
- attack.t1564.004
- attack.t1552.001
- attack.t1105
logsource:
product: macos
category: process_creation
detection:
selection:
Image|endswith: '/chflags'
CommandLine|contains: 'hidden '
condition: selection
falsepositives:
- Legitimate usage of chflags by administrators and users.
level: medium